Red Hat 5 STIG: Kernel Modules

In the last few years, I've seen organizations extending the concept of least privilege to least installed or running. I have written about minimizing a system's attack surface by removing unnecessary software and turning off as many unused features as possible.

The draft release of the U.S. Defense Information Systems Agency's (DISA) “Red Hat 5 STIG” is no exception. I love it when security guidelines make these suggestions but it can be frustrating when assessment scanners report false-positives. For example, some scanners will report a failure if it can't find a setting in a configuration file for software which isn't even installed on the system.

The new draft STIG requires entries in a configuration file to prevent the kernel from loading modules – even if the modules aren't installed on the system. Nonetheless, I have compiled a list of the required settings which must be set in your modprobe.conf configuration file.

First of all, the STIG requires the loading and removing of kernel modules be recorded by the auditing subsystem (GEN002825). The system calls (-S) init_module and delete_module are tracked and watches (-w) are placed on some command line utilities. Add the following rules to your audit.rules file:

-a always,exit -S init_module -S delete_module -k modules 
-w /sbin/insmod -p x -k modules 
-w /sbin/modprobe -p x -k modules 
-w /sbin/rmmod -p x -k modules 

Unless your system has a specific need for the following networking related modules, they shouldn't be loaded into the kernel. These modules aren't installed in a default Red Hat Enterprise Linux installation but you'll still need to implicitly add entries in modprobe.conf file:

• Network Bridging (GEN003619)
• Stream Control Transmission Protocol (SCTP) (GEN007020)
• Datagram Congestion Control Protocol (DCCP) (GEN007080)
• Reliable Datagram Sockets (RDS) (GEN007480). Some implementations of Oracle Real Application Clusters (RAC) uses RDS as an interconnect.

If you don't use IPv6, it is recommended you disable support for it (GEN007700) and you should configure the system to prevent dynamic loading of the IPv6 protocol handler (GEN007720).

Additionally, the guideline recommends disabling support for Bluetooth, USB storage devices, and Firewire:

• Transparent Inter-Process Communication (TIPC) (GEN007540). TIPC was specially designed for intra-cluster communication and products like Wind River's VxWorks use it.
• Bluetooth (GEN007660)
• USB Mass Storage (GEN008480)
• IEEE 1394 (Firewire) (GEN008500)

To prevent the loading of the aforementioned modules and network modules, add the following to your /etc/modprobe.conf file:

# Network related
install bridge /bin/false
install sctp /bin/true
install dccp /bin/true
install dccp_ipv4 /bin/true
install dccp_ipv6 /bin/true 
install rds /bin/true

install tipc /bin/true
install bluetooth /bin/true

# IPv6
alias net-pf-10 off 
alias ipv6 off 
install ipv6 /bin/true

# USB and Firewire
install usb-storage /bin/true
install ieee1394 /bin/true

Section 2.2.2.5 of the National Security Agency's “Guide to the Secure Configuration of Red Hat Enterprise Linux 5” also recommends not loading kernel modules for uncommon filesystem types:

install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true

My suggestion is always remove unused software, however many auditors will probably still want to see the implicit setting in the modprobe.conf file.